HackTheBox – Traverxec – Writeup

User

  1. port and version enumeration: nmap -sV -sC -oA traverxec.htb 10.10.10.165
  2. We see that the http server being used is nostromo 1.9.6. This is a vulnerable service as seen by https://www.exploit-db.com/exploits/47573
  3. We can run the metasploit module as per rapid7.
  4. This gives a shell with www-data.
  5. Running LinEnum.sh provides some interesting data, namely that we have a .htpasswd hash available.
  6. This hash is a md5crypt hash. We will use john htpasswd --list=/usr/wordlist/rockyou.txt to crack this.
  7. After cracking this hash, we need to find the http directory where we can use this password.
  8. Browsing /home/david/public_www we can find a protected area. The password cracked earlier works!
  9. Download the tar.gz file and extract using gunzip.
  10. We have some ssh key backups. The most important file here is id_rsa.
  11. Use ssh -i <key file> to try and connect to david@traverxec.htb.
  12. We need a passphrase. Let's try using ssh2john and pass it to john to brute force. We will use rockyou.txt once again.
  13. Passphrase found! Use this to connect via ssh.
  14. id = david
  15. cat user.txt

Root

  1. Use the shell script in home directory and see the commands being issued. Namely the use of sudo with journalctl.
  2. Copy the file elsewhere and execute. It still works.
  3. Add a && operator and issue /bin/sh at the end of the shell script.
  4. Run the script and you should be able to use !/bin/sh to get a shell via less with uid=0
  5. cat root.txt

#hackthebox #htb